Fraud and scams

This section

Every year we see thousands of complaints involving fraud and scams. The circumstances are wide-ranging, from disputed card transactions and cash machine withdrawals to online banking fraud and identity theft. Fraud causes both financial and emotional damage so it’s very important that businesses take that into account as part of investigating a complaint.

Customers typically bring their complaint to us when their bank refuses to refund the money that’s been lost.

One of the important questions to consider is whether the payment in question is authorised. In broad terms, ‘authorised’ in this context means that a consumer gave their bank an instruction to make a payment from their account, in line with its terms and conditions. In other words, they knew that money was leaving their account – wherever that money actually went.

Regulations state that where a customer hasn’t authorised a payment, the bank should refund the money – so long as the customer hasn’t acted fraudulently, or with intent or ‘gross negligence’. Note that, we take the view that ‘gross negligence’ is an appropriately high bar and goes well beyond ordinary carelessness.

When it comes to payments that customers have authorised themselves, the starting point at law is that their bank won’t be liable for the customer’s loss, even when it’s the result of a scam.

There are, however, some situations where we believe that banks, taking into account relevant rules, codes and best practice standards, shouldn’t have taken their customers’ authorisation instruction at ‘face value’ – or should have looked at the wider circumstances surrounding the transaction before making the payment. And on 28 May 2019, a voluntary code comes into force which will give consumers further protection.

We’ll look carefully at the circumstances behind each complaint, examine the evidence and decide – on balance – what we think has happened, and who should fairly and reasonably bear the loss.

1. Types of complaints we see

The range of complaints we see is constantly evolving as fraudsters develop new and increasingly sophisticated methods. These often rely on highly manipulative techniques known as ‘social engineering’ to trick the customer into parting with their cash, or sharing confidential information. In other instances, the customer tells us their card or banking details, or their identity, were obtained and used fraudulently. Sometimes customers simply have no idea how so many of their personal details were obtained by the fraudster.

A large portion of the complaints we see fall into the following three categories:

plastic card transactions that the customer tells us they didn’t make or authorise – such as purchases of goods or services online or in stores or nightclubs, for example

scams where the customer was tricked into handing over their bank details, allowing the fraudster to take money from their account without their consent

scams where the customer was tricked into transferring money to the fraudster’s account – often because they believed they were making a payment to their bank or another trusted organisation

Examples of other complaints we see involving fraud and scams include:

ID theft, where a fraudster has used the customer’s identity to obtain goods or services – typically a loan from a payday loan company

cheque conversion, where a cheque has been stolen by a third party

cases where a customer feels they’ve been unfairly placed on a fraud prevention database

2. What we look at

As with every case, in reaching a decision about what’s fair and reasonable, we consider:

the relevant law and regulations

any regulator’s rules and guidance that applied at the time

any industry codes of conduct in force at the time

what we consider was good industry practice at the time

If there are disagreements about the facts, we’ll make our decision about what probably happened using evidence provided by you, your customer and relevant third parties.

Plastic card fraud involves any kind of spending on a plastic card that wasn’t authorised by the cardholder. It happens in a variety of places, including shops, bars and restaurants, and also with goods or services bought online or over the phone.

Typically, the customer notices the transaction on their account and complains that they didn’t make or authorise it. The transaction may have been made with a debit or credit card and by presenting the card in person or remotely.

We may never know in many of these cases with certainty what happened. Our role will be to establish what we think is most likely to have happened. To help us understand this, we’ll ask for information from the customer and you, including:

where the customer was at the time of the disputed transaction

how the transaction was made – whether in person, by phone or over the internet

the nature of the transaction, including when and where it was made, and what it was used to pay for

the outlet where the transaction was made

how the transaction was verified by the system, for example, by personal identification number (PIN) or password

the electronic audit trail for the transaction

the customer’s previous use of the plastic card

If we decide that the customer didn’t make or authorise the disputed transaction, we’ll then assess whether they have any liability for it – and, if so, how much.

Many of the complaints we see are from customers who tell us they were tricked into handing over confidential information that enabled fraudsters to access their money. For example, the customer may have:

received an official-looking email or text message they believed to be from their bank or another trusted organisation, with a link to a fake website – where the customer then entered confidential banking details

got a phonecall claiming to be from their bank or another organisation they believed to be genuine, and were tricked into handing over confidential information about their account

Generally, when a customer has not authorised a transaction, they’re not liable for the loss – unless they’ve failed with intent, or ‘gross negligence’ to keep their payment and security information safe. Frequently, then, the dispute will centre on whether the customer acted in a ‘grossly negligent’ way. We consider the bar for gross negligence to be a very high one.

If we’re satisfied the customer didn’t authorise the transaction and was the victim of a scam, we’ll want to understand how the customer was manipulated into sharing sensitive information. For instance, if the customer received a fraudulent email or text message, we’ll want to see it.

A common feature of many scams is that the fraudster will often create an environment which plays on the emotions of the consumer – for example fear of losing all their money. We’ll take into account the environment created by the fraudster as part of our considerations.

One of the fastest-growing types of fraud is ‘authorised push payment’ (APP) fraud – where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves. Fraudsters use a wide variety of methods to carry out APP fraud. The following two scenarios are typical of the complaints we see.

The customer is expecting to make a payment for goods or services, but is tricked into making the payment to an account controlled by the fraudster. Typically this happens after the customer responds to an invoice attached to a fake or intercepted email claiming to be from the person or organisation the customer was expecting to pay.

The customer receives a phone call from ‘their bank’, telling them that their account is at risk and they need to temporarily move their money to another account to keep it safe. The fraudster will use information they’ve researched about the customer in advance to sound convincing. They can even make the bank’s official phone number display in the caller ID screen on the customer’s phone (often referred to as ‘spoofing’).

Our approach to APP fraud complaints

Investigating complaints involving APP fraud can be a complex process. The starting position at law – based on current regulations – is that liability rests with the customer if they consented to the transaction. But this isn’t the end of the story.

So, as well as wanting to understand how the scam unfolded, and how the customer was deceived, we’ll want to consider the bank’s behaviour, too. Businesses, for example, are more likely to have greater knowledge of the range of frauds that exist today then the average customer and are sometimes in a better position to identify a potential fraud.

This means we’ll ask you a range of questions to understand how you handled the transaction – for example:

what security checks did you carry out?

were there any triggers that should have made you question the customer about the transaction? (For example, was it a large or unusual transaction? Did the transaction seem out of character? Was it to a new payee?)

if you’d asked more or different questions, is that likely to have made a difference to the outcome?

We’ll also consider relevant industry guidance and codes of practice in place at the time of the scam, including:

ID theft happens when a fraudster uses someone else’s identity to obtain goods and services. The most common example we see is where a customer tells us a fraudster has applied for a loan (usually from a payday loan company) in their name, and then withdrawn the loaned money from their current account. Often the complaint centres on who should bear the loss, and to what extent.

In cases like this, where the consumer did not make the loan application, its usually appropriate for the lender to put things right. So we’d take the view that the complaint should be directed against the loan company in the first instance.

When we investigate this type of complaint, key things we’ll want to establish are:

did the customer play any part in the loan application?

did the customer play any part in the withdrawal of the proceeds from their account?

To help us decide, we’ll ask for a range of information from the customer, the bank and the lender – along with evidence to back up what they tell us.

Questions we’ll ask the customer might include:

how did they become aware of the problem?

have any important documents, such as passports or driving licenses, gone missing?

if so, did they report the loss in order to get a replacement, and can they show us evidence to prove this?

We’ll ask the lender to explain the reasons why they believe the customer is responsible for the loan. We’ll also ask the lender to give us:

a copy of the loan application documents (including any ID documents provided)

a copy of their investigation and customer notes

details of any technical information such as the IP address from which the application was made, if it was made online

details of their customer ID processes

We’ll ask the bank to give us:

an audit trail showing the transactions in question

statements for the period in question

the customer’s address history

the card and PIN history (where a card was used)

details of the customer reporting the card as lost or stolen (where a card was used)

the online/mobile banking security credential issue history

the online/mobile banking access history

a copy of their customer and investigation notes

After we’ve looked at the evidence, we may decide the customer didn’t take out the loan, but did withdraw or use the proceeds of the loan . We’ll consider carefully what happened and whether it’s appropriate or not to ask the loan company to write off the debt in all the circumstances.

Fraud prevention agencies hold information about people who’ve committed fraud in the financial services sector. They also hold information about people who’ve been the victim of fraud or identity theft. The largest cross-sector fraud prevention agency in the UK is CIFAS.

We can’t look at complaints against fraud prevention agencies themselves. But we can look at complaints about financial businesses that have passed information on to a fraud prevention agency.

Whilst fraud prevention markers are a valuable tool in the fight against fraud, they can have serious consequences for consumers if not applied fairly. Things we typically hear from customers experiencing problems as a result of a fraud prevention marker applied by their bank are:

‘I haven’t been able to open a bank account’

‘my bank closed my account and I can’t open another one’

‘I applied for a mortgage but it was rejected – the lender said there was adverse information about me, but I can’t find anything on my credit file’

‘I was scammed but the business recorded information about me with a fraud prevention agency – I want it removed as it wasn’t my fault’

‘I did a subject access request to a fraud prevention agency and found out my bank recorded information with it – I want the bank to remove it’

The questions we might have to consider when deciding what’s fair and reasonable include:

Was it fair and reasonable for the business to report information to a fraud prevention agency in all the circumstances? When deciding this, one thing we’ll think about is whether the business can demonstrate it met the test for recording fraud markers set by the fraud prevention agencies – typically that it had reasonable grounds to believe that fraud or a financial crime has been committed or attempted; and the evidence of it is clear, relevant and rigorous, such that the conduct could confidently be reported to the police.

Did the financial business make a mistake when it recorded information about a customer with a fraud prevention agency? We’ll review the information about the customer on the database and check whether it’s accurate.

3. Handling a complaint like this

When you receive a complaint involving fraud and scams, you should reply to your customer within 15 days, as set out in the Payment Services Regulations (PSR) and the Electronic Money Regulations (EMR).

If you don’t reply within the time limits, or the customer disagrees with your response, they can bring their complaint to us. We’ll check it’s something we can deal with, and if it is, we’ll investigate.

We’ll expect you to be able to show us that you’ve investigated the complaint thoroughly, and have reflected carefully on the circumstances of the events. In cases where you believe your customer was grossly negligent, we’ll expect you to bear in mind that ‘gross negligence' has a very high bar.

4. Putting things right

If we decide you’ve treated the customer unfairly, or have made a mistake, we’ll ask you to put things right. Our general approach is that the customer should be put back in the position they would have been in if the problem hadn’t happened. We may also ask you to compensate them for any distress or inconvenience they’ve experienced as a result of the problem.

The exact details of how we’ll ask you to put things right will depend on the nature of the complaint, and how the customer lost out. The following examples give an idea of our approach.

In complaints involving plastic card fraud, or scams where the customer didn’t authorise the transaction, if we decide the customer didn’t act with intent or gross negligence, we’ll ask you to refund the loss along with appropriate interest from the date of the loss to the date of the settlement.

In complaints involving fraud or scams where the customer authorised the payment, we may find that you didn’t follow industry guidance or codes of practice designed to protect the customer from fraud. If we think the outcome is likely to have been different had you done so, we might ask you to refund all or some of the customer’s loss. We may also award interest and a trouble and upset payment depending on the circumstances.

In cases of ID theft where we decide the customer played no part in the application for, or use of, the product taken out in their name, we’re likely to ask the provider of the product (such as the lender of a payday loan) to write off any debt incurred and we’ll also consider the impact this has had on the customer’s credit file.

If we think a customer has been unfairly placed on a fraud prevention agency’s database, we may ask you to remove their information from the database and we’ll also consider whether it’s appropriate to compensate the customer for any resulting losses.

5. Case studies

Nadia contacted us after the bank refused to refund £100,000 of her money she was persuaded to send to a fraudster by a sophisticated social engineering scam.

Nadia said she received a call that she thought was from the Police. She was told staff at her local branch had been stealing money from customers and her account was under threat. The call was actually from a fraudster. They convinced her that she needed to move all of her money to a ‘safe account’ in order to protect herself from fraud.

Following the instructions she was given, Nadia made four transfers in branch for £25,000 each over the course of four days. She transferred the money to an account abroad using the account information the fraudsters had provided to her – thinking this was a ‘safe account’ in her name. She was told to tell the branch staff, if asked, that the money was being used to pay for a wedding.

She then waited for details of her new “safe account” to arrive in the post in line with what the fraudster had told her. When this didn’t happen she became suspicious and called the Police who told her there was no investigation and she should call the bank immediately.

The bank confirmed she had been the victim of a scam but it said that it wouldn’t refund the money because she had authorised the payments herself.

What we said

We asked Nadia and the bank what conversations had taken place when Nadia went into branch to make the transfers.

The bank told us that Nadia was well known in branch by staff who recognised that the transactions were unusual and out of character for her. But it said because she answered all of the questions from its script on scams, including one which asked “are you making these transactions on the instructions of someone else?“, and she was able to explain what the money was for, it followed her instructions. So it didn’t need to refund the money to her.

Nadia remembered being asked some questions but said that because she was told to go in with a cover story and she was extremely nervous and anxious about the whole situation and what was happening to her savings, she didn’t really take in what was being said to her. She said she just wanted to make the transactions quickly and get out of the branch.

Scams like this are becoming increasingly common, so banks need to be on the lookout for them and they also know that they can’t necessarily rely on the answers given to them by their customers because it’s possible that the customer may – like Nadia - be under the control of a fraudster.

There is an arrangement between banks and the Police called the Banking Protocol which means that when a bank is concerned or suspicious about an out of character transaction it can contact the Police who will speak to the customer.

We looked carefully at Nadia’s previous account activity and her circumstances at the time. We felt that whilst the bank had asked some questions, Nadia’s behaviour and the nature of the transactions was so out of character, that we though it ought to have asked more questions and followed the guidance set out in the banking protocol.

In Nadia’s case we felt that the bank had enough information that it ought to have been concerned Nadia could be the victim of a scam notwithstanding the answers she had given. And we said if it had asked more questions or called the Police we thought the scam would’ve been prevented. So we told the bank to put things right by reimbursing her the £100,000 and the interest she lost because the money was not in her savings account and a payment for the trouble and upset she had suffered as a result of the banks actions.

Grace was at home with her two young children – her husband was working abroad at the time. She received a call from someone saying they were from HMRC and she needed to pay a tax bill or she would be deported and a warrant for her arrest would be issued. She was told she needed to pay £15k to settle the bill in a series of small payments.

Feeling like she had no choice and worried about what would happen to her family if she didn’t pay, Grace followed the instructions she was given whilst the fraudster remained on the phone.

To make the payments Grace first had to move all the money in her husband and her savings account with the bank to their current account. She then set up a new payee as instructed and made four payments to the new payee, each payment was around £2.5k.

The fourth payment was blocked by the bank – it couldn’t tell us why and it didn’t contact Grace at that point. As the fourth payment hadn’t been received, the fraudster told Grace she needed to set up another new payee to finish the payments. Grace had to transfer more money from another account with the bank to fund these payments. Following that she set up the second new payee and sent a further two payments to that second new payee.

After she completed the payments, the phone-line went dead. Grace thought something was wrong and called her bank. The he bank explained she’d been the victim of a scam, but said it wouldn’t refund her money as she had made the payments herself.

What we said

We looked at the pattern of transactions and the relevant industry guidance and good practice in place at the time including the the British Standards Institute: PAS 17271:2017 - Protecting customers from financial harm as a result of fraud or financial abuse – Code of Practice which has been in place since October 2017.

The aim of the BSI code is to help banks to protect customers from financial harm by identifying good practice in systems and procedures to prevent and detect fraud.

Specifically it says banks should have measures in place to detect suspicious transactions or activities that might indicate fraud. The BSI code includes examples of account activity indicators that might suggest a customer could be the victim of a scam and that the bank should contact the customer to verify the activity.

We thought the pattern of activity on Grace’s account was the type of activity the BSI Code of practice warned against and so we thought the bank should’ve done more to intervene here. We were persuaded that if the bank had intervened and contacted Grace to discuss the activity it would’ve discovered Grace was being scammed and it could’ve prevented her sending any further money to the fraudsters.

Following our investigation, the bank told our investigator that it would refund all of Grace’s money together with interest, including the money she sent before the point it should have intervened as would still have been possible to recover the money from the fraudsters account at that point. Grace and her husband were happy to accept the bank’s offer.

Tom received a call from someone pretending to work for his telephone provider saying he was due a refund. He gave over his card details so he could receive the payment. After the call ended he felt uneasy about how much information he’d given to the caller and on reflection wasn’t sure if the call had been genuine. He called his bank and explained what happened. Tom felt uneasy about what had happened and Tom asked his bank several times if he was safe and if anyone could do anything else with the information he’d given away. The bank member of staff cancelled his card, but reassured him that no one could do anything with the information he had given away in the previous call and that he would be safe.

Shortly after the genuine call with the bank, Tom received another call from someone pretending to be from his bank. The fraudsters had been able to manipulate the technology to make it appear on Tom’s phone that they were calling from his bank. They also had various details about him and his account which convinced Tom he was speaking with his genuine bank.

The fraudsters explained his account was under threat and he needed to move his money to a safe account. He then made one online transfer for £2,500k (which included all of the money in his account and took his overdraft to its maximum limit) to an account with the details he’d been given by the fraudsters.

A few hours after that Tom felt something wasn’t right and called the bank - they told him he’d been scammed. The bank said it wasn’t responsible though, as Tom had knowingly sent the money from his account although they appreciated he didn’t know it was going to fraudsters.

What we said

We listened to the call Tom had with the bank when they cancelled his card. We felt the bank had missed a key warning sign that Tom had just been phished for information (which is a known common tactic used by fraudsters to gain information before going on to scam them).

We thought that the bank staff didn’t really listen to what Tom was telling them. It didn’t act upon this or warn Tom about the different types of scams and how fraudsters can use information they’ve “phished” from customers to convince them they are speaking to their bank when in fact they aren’t. If it had, we were persuaded this would’ve prevented the scam when Tom was called just shortly after by fraudsters. We told the bank to refund all the money Tom lost in this scam – together with interest a payment for trouble and upset.

Chantelle was searching for a studio flat using a free classified advert website. She found a flat that she liked and contacted the person she thought was the landlord. She went to view the flat and signed a contract which all appeared to be genuine. After several email exchanges with the person who had claimed to be the landlord she agreed to rent the flat. She paid 6 weeks’ deposit and one month’s rent to secure the flat.

When Chantelle made the payments this triggered the bank’s fraud systems and her bank called her to verify the payments were genuine. When she explained to the bank that she was paying a deposit and rent to a landlord it explained there were scams in existence and she should be careful when proceeding. Chantelle said she had been to see the flat and had a contract from the landlord so had no reason to believe anything was wrong and so wanted to proceed with the payment which the bank agreed to – in accordance with the mandate on the account.

On moving day (4 weeks later) Chantelle turned up at the flat and the genuine landlord was there. He said the previous tenant had advertised the flat without permission and pretended to be landlord. He had keys to the flat so was able to show people around and had been able to make a fake contract. He had done this to several other people and taken their money in a similar way.

What we said

The bank had picked up the transaction through its fraud systems and made contact with Chantelle before completing the transaction and we thought this was good practice. When speaking with Chantelle we thought it listened to what she was saying and gave her warnings about relevant scams. It was reassured by Chantelle’s responses and completed the transaction in line with her instructions and the mandate on the account.

The chain of events here were extremely unfortunate and we were sympathetic to Miss Chantelle’s circumstances. But we felt here that the bank had followed good industry practice and we didn’t think it could have or ought to have known she was the victim of a scam. We felt the advice and warnings it gave to Chantelle before she made the payment were clear and it couldn’t have done anything else to prevent the scam.

Chantelle’s bank made contact with the receiving bank as soon as they were notified of the scam. But by that time, the money had already left the scammer’s account and there was nothing more Chantelle’s bank could have reasonably done to stop that, or to recover the funds.

We concluded that whilst Chantelle had been the innocent victim of a cruel scam, we didn’t think it was fair to ask the bank to refund the money she had transferred in these circumstances.

Paul agreed to buy an iPhone 8 for £300 through an online auction site. When it came to payment the seller asked that Paul make a bank transfer rather than using the auction site’s recommended payment channel, as they said it was quicker and there wouldn’t be any fees to pay. On receipt of the payment the seller said they would send the phone in the post. Paul set up the online payment and transferred £300 to the seller.

The bank provided a warning about auction site scams on its online banking site. Paul says he read the warning but thought it didn’t apply to him as he had bought things from the auction site many times before, using this payment method and hadn’t had any problems in the past. And he felt reassured as the seller had an excellent rating – so he thought everything would be fine.

A week later when the phone hadn’t arrived he contacted the seller but received no response. After several attempts at contacting the seller without any success Paul contacted his bank to say he’d been the victim of a scam. His bank contacted the receiving bank to see if they could put a stop on the funds leaving the account. But by this time, the scammer had already moved the money out of the account.

What we said

We looked at Paul’s account history and at the types of payments he usually made. Having done so we felt that this transaction was not out of character or unusual for Paul, in fact we could see he made payments of this nature on a regular basis for similar and often higher amounts. The transaction wasn’t picked up by Paul’s bank. But we didn’t think that was unreasonable bearing in mind the value and nature of the payment and that it wasn’t out of character in comparison to his normal account activity.

The bank had also provided a warning which Paul said he had read but decided to proceed anyway. So overall we didn’t think the bank acted unreasonably – and we could see that Paul’s bank couldn’t have recovered the money from the receiving bank as the funds had already been moved on. So we didn’t think it would be fair in the circumstances to tell the bank to refund Paul.

6. Resources

Refer to the Payment Services Regulations setting out the laws affecting fraud and scams complaints.